The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

"We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Washington Post, speaking of the case against Mo. "Judges are having to make up these powers as they go along."

Thank you. Judges are not supposed to just invent new powers for police as they go along. Police powers need a public debate and public enforcement.

The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

Whoever this guy is, he was apparently sending bomb threats from Iran. I would think that would justify some form of warrant, the question is more of if the format and breadth of their search was reasonable.

The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

Whoever this guy is, he was apparently sending bomb threats from Iran. I would think that would justify some form of warrant, the question is more of if the format and breadth of their search was reasonable.

I think his point was that the warrant was too broad as although the fourth amendment does provide for warrants to be created allowing a search, a warrant cannot approve an "unreasonable" search. Which this appears to be, in my opinion. A malware which can remotely activate cameras and microphones to record a person without their knowledge or consent is pretty damn creepy. All they managed to get was the IP address, which seems like a reasonable limit to me.

The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

Whoever this guy is, he was apparently sending bomb threats from Iran. I would think that would justify some form of warrant, the question is more of if the format and breadth of their search was reasonable.

From what I get from the article, the warrant was issued against anyone logging into that account, because there would never, ever be more than one person logging into an email account from more than one computer, right?

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

I think the law should require the target be aware of the search, so they can take it to court if they feel it's unconstitutional.

If they turn up at my door I can't stop the search but I know it's happening. Why shouldn't the same be required of digital equivalents?

Why should it? Most surveillance doesn't happen with the targets knowledge, and there are legal mechanisms for searching without the targets knowledge already.

I mean, I'm glad I know about it. But they got a warrant to do exactly what they said they were going to do, and then tried to do exactly that. "Legal/Illegal" are just made up terms for procedures governments make up as they go. The point is, "is it harmful to the public good or not?" And I don't see this specifically targeted attack on a perfectly reasonable suspect as harmful to the public good.

you are right, yee-haw go gettem! Absolutely no chance a non-offender would be involved with a warrant against an email address! I'd bet that the FBI had (maybe just a little) rendition-envy.

really? All the down-votes? Do I really have to say " ip address !=person" ? If anyone can present an honest argument for the FBI (domestic) injecting a malicious payload into an email account of a suspected foreign agent, I would like to hear it. Not this BS of "The Judge said it's ok".

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

I think the law should require the target be aware of the search, so they can take it to court if they feel it's unconstitutional.

If they turn up at my door I can't stop the search but I know it's happening. Why shouldn't the same be required of digital equivalents?

In some contexts, knowing about the search would prevent the police from catching you in the act. Imagine if the police had to announce their presence when they tapped your phone call.

If the search results in a criminal charge, you can challenge the search then and insist certain evidence be excluded. If there is no charge but the search results in some kind of measurable harm, in some cases, you can sue the government for reparations.

Sounds like Ars when instead of suggesting that he not make bomb threats, commenters give suggestions on how to not end up getting malware.

(I wouldn't be surprised if it's just some zero-day GIF or similar exploit that the FBI bought. There's really nothing you can do against anything close to that, save for not attracting their attention in the first place.)

The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

Because a Judge signed off on a warrant? Typically that is when the authorities are allowed to look through whatever damn thing the warrant covers.

As long as their is judicial oversight and a warrant is sought and granted before the surveillance attempt I don't have a problem with this. Maybe I should, if someone wants to tell me why I should I would be happy to listen.

So exactly how does warrant to search someone, somewhere or something equate into installing malware on whatever computer happens to log into said account? Last time I checked, searching was not a legitimate defense against the Computer Abuse and Fraud Act. Yet another example of two sets of rules.

The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

Because a Judge signed off on a warrant? Typically that is when the authorities are allowed to look through whatever damn thing the warrant covers.

As long as their is judicial oversight and a warrant is sought and granted before the surveillance attempt I don't have a problem with this. Maybe I should, if someone wants to tell me why I should I would be happy to listen.

maybe if there was INFORMED (meaning the judge actually understands what the hell is being requested/granted) oversight, I could agree with you. I do not feel threatened, terrorized, or otherwise inconvenienced by random internet bomb threats; is there a reason that such threats got the Feds in such a tizzy? When was the last terrorist attack on domestic soil emailed ahead of time?

The warrant was really unecessary in this case, but I can see why they did it - just in case the subject of their surveillance was within the US. Warrant protection would only apply to US persons, not foreign persons in other countries.

The warrant was really unecessary in this case, but I can see why they did it - just in case the subject of their surveillance was within the US. Warrant protection would only apply to US persons, not foreign persons in other countries.

From what I understand, the FBI did not know where this person was located. So getting a search warrant is necessary if there will be a US prosecution. The fact the person is apparently in Iran does not relieve the government of following proper procedure.

Not sure I get the comparison of seizing everything in a person's house as opposed to what is allowed in a warrant. When searching the house the officials would go through and look at all kinds of items and information to determine what they can take.

This is essentially doing the same thing. They have to sift through the information to find the relevant pieces. They can't just magically know where everything is, just like they can't know where all seizable documents are in a house. The remedy for law enforcement over reaching on warrants is already built into the judicial system. I am not seeing how this is that different or special to handle it in a unique way.

If they have a warrant to track a person's visitations to terrorist sites or bomb making sites etc, then they can capture and keep it while discarding the rest. Using any other information would be fruit from the poisonous tree and subject evidence becoming inadmissable.

I think there is some general butthurt from people not knowing or believing law enforcement had any technical savvy at all. Instead we find out just the opposite. Not to mention there are so many different issues that each needs to be reviewed on its own. Instead we are in a collective knee jerk state of "government use computer bad". I can't really speak to the specifics of this case. I just think our system already deals with search and seizure issues and we do not need additional complex lawyers of laws to protect us. We just need proper usage of existing laws.

The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

Whoever this guy is, he was apparently sending bomb threats from Iran. I would think that would justify some form of warrant, the question is more of if the format and breadth of their search was reasonable.

I think his point was that the warrant was too broad as although the fourth amendment does provide for warrants to be created allowing a search, a warrant cannot approve an "unreasonable" search. Which this appears to be, in my opinion. A malware which can remotely activate cameras and microphones to record a person without their knowledge or consent is pretty damn creepy. All they managed to get was the IP address, which seems like a reasonable limit to me.

How is it creepy? Wiretaps and video warrants are issued. I don't know if they used these devices in this case or had a warrant to do so but the current system does allow law enforcement to plant bugs. How would getting a warrant to listen to a computer microphone be any different.

I just feel the experts are trying to make this way more complicated than it needs to be. Acting like it is impossible to apply our current law of the land on search and seizure warrants for computers and computer usage is a bit much. People have another agenda here. The worst thing that we can have happen is to have special laws drawn up which will only serve to reduce our personal freedoms.

The judicial branch is designed to adapt to these kinds of things and if judges make mistakes that is why we have a large system of appeals so it can be gotten right. I see no need to move this from the judicial branch to the legislative branch and in fact think that would be horrible.

The warrant authorizes an "Internet web link" that would download the surveillance software to Mo’s computer when he signed onto his Yahoo account. (Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

Uhm yeah, I find myself struggling to find any logical way that installing surveillance software via a js injection attack doesn't qualify as the electronic equivalent of "reading through someone's unopened mail/personal effects". I can't figure out a way this doesn't run across the "illegal search" half of "illegal search and seizure".

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

Whoever this guy is, he was apparently sending bomb threats from Iran. I would think that would justify some form of warrant, the question is more of if the format and breadth of their search was reasonable.

I think his point was that the warrant was too broad as although the fourth amendment does provide for warrants to be created allowing a search, a warrant cannot approve an "unreasonable" search. Which this appears to be, in my opinion. A malware which can remotely activate cameras and microphones to record a person without their knowledge or consent is pretty damn creepy. All they managed to get was the IP address, which seems like a reasonable limit to me.

How is it creepy? Wiretaps and video warrants are issued. I don't know if they used these devices in this case or had a warrant to do so but the current system does allow law enforcement to plant bugs. How would getting a warrant to listen to a computer microphone be any different.

I just feel the experts are trying to make this way more complicated than it needs to be. Acting like it is impossible to apply our current law of the land on search and seizure warrants for computers and computer usage is a bit much. People have another agenda here. The worst thing that we can have happen is to have special laws drawn up which will only serve to reduce our personal freedoms.

The judicial branch is designed to adapt to these kinds of things and if judges make mistakes that is why we have a large system of appeals so it can be gotten right. I see no need to move this from the judicial branch to the legislative branch and in fact think that would be horrible.

While I can see your point that wiretap and video warrants do exist, I feel that it is different to install malicious software on a person's computer to execute the warrant.

As to it being better left in the hands of the judiciary to decide what police powers are, I respectfully disagree. Judges are not elected to pass laws, they are elected to interpret and execute the law passed by the legislature and implemented by the executive. Having specific laws drawn up to limit person freedom as you put it may be bad, but it is no better if case law is drawn up by individuals who do not understand the technology at play on an ongoing basis.

There is a place for judicial activism, and it lies in limiting the legislative and executive branches' powers that is, striking down unconstitutional laws. Creating new powers for them lies well outside their intended scope of practice.

Apparently they had a warrant for the search. Police can read through someone's unopened mail and personal effects if it is justified and they get a warrant.

Did you mean that the warrant was too broad?

I think the law should require the target be aware of the search, so they can take it to court if they feel it's unconstitutional.

If they turn up at my door I can't stop the search but I know it's happening. Why shouldn't the same be required of digital equivalents?

Why should it? Most surveillance doesn't happen with the targets knowledge, and there are legal mechanisms for searching without the targets knowledge already.

I mean, I'm glad I know about it. But they got a warrant to do exactly what they said they were going to do, and then tried to do exactly that. "Legal/Illegal" are just made up terms for procedures governments make up as they go. The point is, "is it harmful to the public good or not?" And I don't see this specifically targeted attack on a perfectly reasonable suspect as harmful to the public good.

I'm not arguing the FBI did anything wrong, I understand they're following the law, but we're talking about a decision made in 1789 and it does not fit with today's era.

Whether it's "harmful to the public" or not is debatable. Personally I think it is harmful.

I see it as a clear human rights problem that if the government is invading my privacy as part of an investigation against me, I cannot defend myself. I want a chance to take it to court and that means I need to know the search took place.

*Especially* if the search finds nothing and they remove the target from the investigation, then it's especially important\ for there to be a court case dragging someone over hot coals for allowing the investigation in the first place.

Search warrants should take place when there is almost certainly going to be evidence found. Not when there is only suspicion. How can we the people know that is happening when we don't know about the searches?

In some contexts, knowing about the search would prevent the police from catching you in the act. Imagine if the police had to announce their presence when they tapped your phone call.

If the search results in a criminal charge, you can challenge the search then and insist certain evidence be excluded. If there is no charge but the search results in some kind of measurable harm, in some cases, you can sue the government for reparations.

If the target is a criminal then I don't care how he's caught, as long as he's caught. My issue is when there are no charges laid after the search doesn't find anything.

The notice wouldn't have to be immediate, perhaps it could be a 14 days later.

So, the FBI hackers have malware that can run as soon as you log into your webmail account, without you having to click on any links or even open up an e-mail? And they released this into the wild?

Better hope something like that doesn't fall into the hands of cyber criminals, or we are going to see a veritable apocalypse of malware infections.

Dear FBI, please consider the ramifications of what sort of weapons you use in your job. It's not quite the computer equivalent of mailing someone an envelope full of ebola virus, but it's damn close. Even if it is not self-replicating, it wouldn't take a black hat very long to use this in some sort of worm or virus. Once the FBI sent it, they had no control of what happened to it, and could do nothing to prevent it from spreading.

So, the FBI hackers have malware that can run as soon as you log into your webmail account, without you having to click on any links or even open up an e-mail? And they released this into the wild?

Better hope something like that doesn't fall into the hands of cyber criminals, or we are going to see a veritable apocalypse of malware infections.

Dear FBI, please consider the ramifications of what sort of weapons you use in your job. It's not quite the computer equivalent of mailing someone an envelope full of ebola virus, but it's damn close. Even if it is not self-replicating, it wouldn't take a black hat very long to use this in some sort of worm or virus. Once the FBI sent it, they had no control of what happened to it, and could do nothing to prevent it from spreading.

I'm assuming Yahoo cooperated with the FBI to plant the malware. So your garden variety hacker doesn't have the same access.

So, the FBI hackers have malware that can run as soon as you log into your webmail account, without you having to click on any links or even open up an e-mail? And they released this into the wild?

Better hope something like that doesn't fall into the hands of cyber criminals, or we are going to see a veritable apocalypse of malware infections.

Dear FBI, please consider the ramifications of what sort of weapons you use in your job. It's not quite the computer equivalent of mailing someone an envelope full of ebola virus, but it's damn close. Even if it is not self-replicating, it wouldn't take a black hat very long to use this in some sort of worm or virus. Once the FBI sent it, they had no control of what happened to it, and could do nothing to prevent it from spreading.

I'm assuming Yahoo cooperated with the FBI to plant the malware. So your garden variety hacker doesn't have the same access.

Quoted from the article:

Quote:

(Yahoo, when questioned by the Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

So, the FBI hackers have malware that can run as soon as you log into your webmail account, without you having to click on any links or even open up an e-mail? And they released this into the wild?

Better hope something like that doesn't fall into the hands of cyber criminals, or we are going to see a veritable apocalypse of malware infections.

Dear FBI, please consider the ramifications of what sort of weapons you use in your job. It's not quite the computer equivalent of mailing someone an envelope full of ebola virus, but it's damn close. Even if it is not self-replicating, it wouldn't take a black hat very long to use this in some sort of worm or virus. Once the FBI sent it, they had no control of what happened to it, and could do nothing to prevent it from spreading.

I'm assuming Yahoo cooperated with the FBI to plant the malware. So your garden variety hacker doesn't have the same access.

Even if that's the case, once it's on the computer of a suspect, should it get noticed it wouldn't take much to weaponize it.

more than anything, in these type of cases, the one who is more at fault than even the security service that wants permission to use the overreaching methods, are the judges themselves! they are supposed to know the law! they are supposed to know the constitution! they are supposed to know when the constitution is going to be kicked into touch by a law or a ruling! they are supposed to know when to stop something, legal or not, because it overrides the constitution! so why do they in general and she, in this particular case, give permission for the feds to do this? she needs removing from office! the person in the FBI needs removing from office too, as he/she should also know when the constitution is being screwed!there is always another way of achieving the same end result! there is no way that the feds didn't have more than this one option. that is the road they should have gone down!

First, it makes it pretty clear that the method of attack was a link in a phishing email:

Quote:

The FBI team works much like other hackers, using security weaknesses in computer programs to gain control of users’ machines. The most common delivery mechanism, say people familiar with the technology, is a simple phishing attack — a link slipped into an e-mail, typically labeled in a misleading way.

Second is this tidbit:

Quote:

The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico, now on the advisory board of Subsentio, a firm that helps telecommunications carriers comply with federal wiretap statutes.

It's always been speculated that an attacker could turn on a camera without turning on the light, but as far as I know no one has ever confirmed it or proved it could be done.